CVE-2026-4404
Hardcoded Credentials in GoHarbor Harbor Allow Unauthorized Access
Publication date: 2026-03-23
Last updated on: 2026-03-24
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goharbor | harbor | 2.15.0 |
| goharbor | harbor | to 2.16.0 (exc) |
| goharbor | harbor | to 2.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-1393 | The product uses default passwords for potentially critical functionality. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4404 is a vulnerability in GoHarbor Harbor versions 2.15.0 and below where hardcoded default credentials are used. This means that the software includes a default admin password that is set in the configuration and does not require the user to change it upon installation or first login.
Because the default password is stored in plaintext and not enforced to be changed, attackers can easily use this known password to gain unauthorized access to the Harbor web user interface.
This vulnerability arises from the use of default passwords that are widely known and can be exploited to bypass authentication, leading to unauthorized administrative access.
How can this vulnerability impact me? :
The impact of this vulnerability is that attackers can gain unauthorized access to the Harbor web UI by using the default hardcoded admin password.
This unauthorized access can lead to privilege escalation, allowing attackers to perform administrative actions within the Harbor container registry.
Such access could compromise container images, configurations, and potentially the security of the entire container deployment environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the Harbor installation is using the default hardcoded admin password, which is stored in plaintext within the system's configuration files."}, {'type': 'paragraph', 'content': "One way to detect it is to inspect the Harbor configuration file (typically harbor.yml or similar) for the presence of the default password value (e.g., 'Harbor12345')."}, {'type': 'paragraph', 'content': 'Commands to check for default credentials might include searching for the default password string in configuration files, for example:'}, {'type': 'list_item', 'content': "grep -r 'Harbor12345' /path/to/harbor/config/"}, {'type': 'list_item', 'content': 'cat /path/to/harbor/config/harbor.yml | grep harbor_admin_password'}, {'type': 'paragraph', 'content': 'Additionally, monitoring login attempts to the Harbor web UI for use of default credentials or scanning for open Harbor web UI endpoints could help identify vulnerable instances.'}] [2, 4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately change the default admin password to a strong, unique password.
If you are installing or upgrading Harbor, use version 2.16.0 or later, which enforces interactive password setting during installation and removes the hardcoded default password.
If you have an existing installation on version 2.15.0 or below, manually update the admin password in the Harbor configuration and restart the service.
- Edit the harbor.yml configuration file to set a secure admin password.
- Run the Harbor installer script and provide a strong password when prompted.
Additionally, restrict access to the Harbor web UI to trusted networks and monitor for unauthorized login attempts.